<p>The question of how to measure the privacy risk/level of privacy protection can be viewed as a concern not only for data protection laws, but also for competition policy and enforcement. Data controllers build a competitive advantage at the expense of individual privacy, and the privacy risk can serve as an indicator, or a cover: The scenarios where high privacy risk is caused by improper data processing, such as data extraction without user consent or appropriate technical measures could, under certain conditions, produce exploitative effects (<i>German Facebook case</i>); however, the relevance of privacy risk in assessing competitive harm is premised on the importance of data for competition (<i>Microsoft/Nuance</i>), and the requirement that a data controller takes advantage of that importance, leading to a foreseeable loss of privacy interests. The scenarios where low privacy risk is decided by technically defined ‘deidentification’ (<i>Google Privacy Sandbox</i>), or contract-based consent under the cover of self-determination (<i>Apple’s ATT policy</i>; <i>Doe v. Meta</i>), cannot justify improper data processing, because the seemingly reduced privacy risk could be used as a cover to implement such practice as self-preferencing or price discrimination. It follows that the privacy protection defense cannot exempt data controllers from the data sharing obligation by simply endorsing privacy-friendly techniques, or consent-and-waiver agreement. Finally, this paper addresses the question of how to assess the privacy risk/level of privacy protection by introducing the idea of ‘data quality’, thereby contributing to the integration of competitive considerations into the data protection framework.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Rethinking the role of privacy risk in addressing abuse of data power: from both data protection and competition perspectives

  • Qing He,
  • Di Xie

摘要

The question of how to measure the privacy risk/level of privacy protection can be viewed as a concern not only for data protection laws, but also for competition policy and enforcement. Data controllers build a competitive advantage at the expense of individual privacy, and the privacy risk can serve as an indicator, or a cover: The scenarios where high privacy risk is caused by improper data processing, such as data extraction without user consent or appropriate technical measures could, under certain conditions, produce exploitative effects (German Facebook case); however, the relevance of privacy risk in assessing competitive harm is premised on the importance of data for competition (Microsoft/Nuance), and the requirement that a data controller takes advantage of that importance, leading to a foreseeable loss of privacy interests. The scenarios where low privacy risk is decided by technically defined ‘deidentification’ (Google Privacy Sandbox), or contract-based consent under the cover of self-determination (Apple’s ATT policy; Doe v. Meta), cannot justify improper data processing, because the seemingly reduced privacy risk could be used as a cover to implement such practice as self-preferencing or price discrimination. It follows that the privacy protection defense cannot exempt data controllers from the data sharing obligation by simply endorsing privacy-friendly techniques, or consent-and-waiver agreement. Finally, this paper addresses the question of how to assess the privacy risk/level of privacy protection by introducing the idea of ‘data quality’, thereby contributing to the integration of competitive considerations into the data protection framework.